How did the author determine the exact offset to overwrite the return address in the example program?

The author filled the input file with 56 test characters and used OllyDbg to debug the program, locating where the return address was overwritten in memory. By analyzing the stack layout and the buffer size (44 bytes), the offset was found to be at positions 53–56 of the input. This offset was then used to place the starting address of the buffer (0x0012FB7C) to redirect execution.